Security Control Auditor

Summary:

The Security Control Auditor is a critical member of the chief information security officer's (CISO's) team. The role is responsible for ensuring that the security controls in place across the organization*s information systems are functioning as intended to protect sensitive healthcare data and maintain compliance with applicable regulations. This role involves auditing and validating the effectiveness of security controls identifying gaps and working with various teams to implement improvements.

Responsibilities:

Conduct regular audits of security controls to ensure they are implemented and function as intended across the organization*s technology environments including cloud on-premises and hybrid systems.

Validate the effectiveness of controls in the environment such as but not limited to multi-factor authentication (MFA) O365 conditional access policies firewall rules IPS rules SIEM alerting / detection and security platform controls.

Develop and deliver reports on the status of security controls including compliance with organizational policies industry standards and regulatory requirements.

Identify document and report any deviations from policy / standards recommend corrective actions and review security policies and control documentation to align with current practices.

Review and recommend updates to security policies procedures and control documentation to ensure they reflect current security practices and regulatory requirements.

Monitor emerging threats vulnerabilities and industry best practices to ensure security controls remain effective and aligned with the evolving threat landscape.

Drive process improvements for security control validation procedures to optimize efficiency and effectiveness.

Provide expertise on security best practices across IT infrastructure and enterprise operations to support secure business strategies.

Perform detailed security risk assessments on IT Infrastructure as directed.

Design and implement security control testing procedures to validate the continued effectiveness of all IS Security mandated controls. This will include White Box testing to see if implemented controls and alerting are tripped resulting in an incident/escalation from Security Team.

Perform Risk Register Validations as directed.

Researches and assists in the piloting and evaluation of new tools technologies technical controls and processes to support and enforce defined security policies.

Develop a strong working relationship with the security team to develop and implement controls and configurations aligned with security policies and legal regulatory and audit requirements.

Assists in the development and documentation of security policies standards and procedures.

Performs other duties as assigned.

Other information:

EDUCATION:

A bachelor's degree in information systems or equivalent work experience; an M.B.A. or M.S. in information security is preferred.

Active Certifications Required (3 or more - CISSP CCSP OSCP OSCE CISA CRISC GIAC CEH Security+ CCNA Security CCNP Security.)

EXPERIENCE:

A minimum of ten years of IS experience with five years in a hands-on information security role.

Experience with scripting and automation to streamline processes.

Subject Matter Expert (SME) level knowledge of security tools trends methodologies and best practices for securing platforms and operating systems at the server client and handheld level

Motivated self-starter who has a track record of taking ownership of information security challenges and driving them to resolution.

Must be able to thrive in a fast-paced rapidly evolving security department/environment with varying priorities while interacting with other departments that are moving at a much slower speed.

Thorough and current understanding of a wide range of threat vectors and their potential exploits against current corporate controls and platforms.

Strong knowledge of industry frameworks related to information security (e.g. ISO 27000 NIST HIPAA Security CIS Benchmarks etc.)

Experienced in the use of virtualization technologies including those that utilize cloud services such as Azure/AWS.

Excellent technical knowledge of mainstream operating systems [for example Microsoft Windows and Linux] and a wide range of security technologies such as network security appliances identity and access management (IAM) systems anti-malware solutions automated policy compliance tools and desktop security tools.

Maintain an expert knowledge of InfoSec industry trends and developments and advise on changes to the threat landscape.

Knowledge of network infrastructure including routers switches firewalls and the associated network protocols and concepts.

Excellent interpersonal verbal and written communication and organizational skills.

Ability to communicate security guidance to a non-technical audience.

INDEPENDENT ACTION:

Functions independently within departmental policies and practices. Must be able to work independently in a manner to achieve goals objectives and productivity requirements.

SUPERVISORY RESPONSIBILITIES:

Employee functions independently within department policies and practices; refers specific decisions to security management where authority is outside of the defined departmental RACI Matrix or clarification of departmental policies and procedures may be required.

Brown University Health is an Equal Opportunity / Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race color religion sex national origin age ethnicity sexual orientation ancestry genetics gender identity or expression disability protected veteran or marital status. Brown University Health is a VEVRAA Federal Contractor.

Location: Brown University Health Corporate Services USA:RI:Providence

Work Type: Full Time

Shift: Shift 1

Union: Non-Union

Test